Jeffrey Walton noloader@gmail.com writes:
Or you can use the test vectors from Wei Dai's Crypto++. The project already generated test vectors for 1x, 4x and 12x blocks. The test vectors include Bernstein's ChaCha and the IETF version. Also see https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt
Thanks, I've copied one of the 1024 byte test vectors from there.
You might also consider changing the project's governance to require a complete set of test vectors for each algorithm. If you are doing 4x blocks, then you need test vectors covering them. You should also use an independent program to generate them, like Bernstein's reference implementation. (I don't believe the IETF provides a reference implementation).
In this case, the coverage problem wasn't mainly lack of authoritative test vectors, but missing coverage for sequences of calls to chacha_crypt/chacha_crypt32. The bug was in the counter update at the very end of the processing, for certain data sizes, and would not cause obviously incorrect results until the next call.
For tests that vary things like alignment, message size, how to split a message into multiple calls, etc, I think it's usually good enough to check that the result always is identical to the simplest way to do it (say, using a single call for the complete message, friendly alignment, and without involving any assembly code). I think of that kind of tests as mostly orthogonal to tests using authoritative test vectors.
I've pushed test updates to the branch fix-chacha-counter, and ci builds now fail on ppc64. The fix posted to the list appears to work, I'll push that to the branch in a moment.
Regards, /Niels